Enable multiple claims for remote_user_claim

[cm0s]

I'm currently using the following directive to define the claim used for remote_user:

OAuth2TargetPass remote_user_claim=sub

In my Apache configuration, I use multiple OAuth2TokenVerify directives to accept both opaque and JWT tokens from two different providers. This flexibility is very useful and something I couldn't achieve with mod_auth_openidc.

However, I'm facing an issue: I can only specify a single claim for remote_user_claim. This becomes problematic because the claim containing the desired user identifier differs between providers—for example, one uses sub, while the other uses email.

Ideally, I would like to specify multiple fallback claims, something like:

OAuth2TargetPass remote_user_claim=sub,email

Where the first available claim with a value would be used as remote_user. Unfortunately, this doesn't seem to be supported.

If anyone has a workaround or a way to implement this behavior with mod_auth2, I’d really appreciate your input!

[zandbelt]

basically remote_user_claim renders the value in the REMOTE_USER header in the Apache specific bindings; you should be able pull the REMOTE_USER claim from other (environment) variables - possible in a conditional way - and overwrite that header, using something like this:

  RequestHeader set REMOTE_USER "%{OAUTH2_CLAIM_sub}e" env=OAUTH2_CLAIM_sub
  RequestHeader set REMOTE_USER "%{OAUTH2_CLAIM_email}e" env=!OAUTH2_CLAIM_sub

be aware that this kind of applies namespaces of the two providers on top of each other (i.e. the same sub may be used by both providers), but that would be the case anyway in your environment

[cm0s]

Thank you for sharing this solution 👍

To avoid the following errors:

oauth2_apache_set_request_user: remote user claim "sub" could not be found
oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="Could not determine remote user."

I had to set the remote_user_claim option to a claim that is present in both tokens—for example, "iss". After that, I applied your suggestion to override the REMOTE_USER header.

It might be helpful if the module allowed us to disable the remote_user_claim option entirely in such cases, to avoid triggering these errors. That said, my use case might be a bit of an edge case.

[zandbelt]

I believe it is an edge case indeed: having email but not sub seems backwards, sub is required in RFC 9068
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens , it is only token introspection that leaves sub as defined but optional